b"         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       EPA Has Taken Steps to\n       Address Cyber Threats but\n       Key Actions Remain Incomplete\n       Report No. 11-P-0277\n\n       June 23, 2011\n\x0cReport Contributors:                               Patricia H. Hill\n                                                   Stephen J. Nesbitt\n                                                   Rudolph M. Brevard\n                                                   Cheryl Reid\n                                                   Scott Sammons\n\n\n\n\nAbbreviations\n\nAPT           Advanced Persistent Threat\nASSERT        Automated System Security Evaluation and Remediation Tracking\nCIO           Chief Information Officer\nCSIRC         Computer Security Incident Response Capability\nCTS           Customer Technology Solutions\nEPA           U.S. Environmental Protection Agency\nETP           Enterprise Transition Plan\nFY            Fiscal year\nNIST          National Institute of Standards and Technology\nOEI           Office of Environmental Information\nOIG           Office of Inspector General\nUS-CERT       United States Computer Emergency Readiness Team\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  e-mail:    OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue NW\n  fax:       703-347-8330                                       Mailcode 8431P (Room N-4330)\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                       U.S. Environmental Protection Agency \t                                             11-P-0277\n                                                                                                       June 23, 2011\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                          Catalyst for Improving the Environment\n\nWhy We Did This Review            EPA Has Taken Steps to Address Cyber\nWe reviewed prior audit work      Threats but Key Actions Remain Incomplete\nto highlight unimplemented\nactions the U.S.                   What We Found\nEnvironmental Protection\nAgency (EPA) should take to       News publications have reported that APTs are increasingly prevalent throughout\nprotect network resources         the federal government. In November 2009, the Agency reported 14 compromised\nfrom the increase of Advanced     systems that were associated with an Office of Inspector General investigation of\nPersistent Threats (APTs)         APTs. By September 2010, the Agency reported that over 7,800 of its systems had\nwithin the Agency.                communicated with known hostile Internet protocol addresses. These Agency\n                                  systems potentially could have been compromised by APTs due to these\nBackground                        communications. The National Institute of Standards and Technology reports that\n                                  organizations must enhance risk management and information security governance\nAn APT is a cybercrime            to guard against APTs.\ndesigned to steal or modify\ninformation without detection.    We issued previous reports and made recommendations that could help the\nThese attacks are targeted at     Agency strengthen cyber security practices for combating APTs. However, some\norganizations, businesses, and    of those recommendations remain unimplemented, and we continue to find and\npolitical entities, and the       report on similar weaknesses at other EPA locations. EPA should address open\nperpetrators are usually          recommendations, be proactive in implementing agreed-upon actions without\norganized and well funded.        further delay, and take steps to improve cyber security practices throughout the\nAPTs are typically tailored,      entire Agency. If EPA does not take these steps, its information security\nusing multiple attack             weaknesses could negatively affect the availability and integrity of all Agency\nmethodologies and tools, for      data.\nspecific targets. After an\nattack on the specific target      What We Recommend\nhas been successful, the threat\nmaintains a foothold on the       We recommend that the Assistant Administrator for Environmental Information\ntarget for future exploitation.   and Chief Information Officer issue a memorandum to Office of Environmental\n                                  Information executives stressing the importance of and expectation for\n                                  completing audit recommendations by the agreed-upon milestone date, strengthen\n                                  management control processes for monitoring and completing all open and future\n                                  audit recommendations by the agreed-upon milestone date, and update the\nFor further information,          Enterprise Transition Plan Information Management segment to define the actions\ncontact our Office of             the Agency plans to take to achieve its security target architecture.\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.                   The Agency agreed with all the recommendations except for the recommendation\n                                  to update its audit control process to require the Chief Information Officer to\nThe full report is at: \t          approve milestone dates extensions. Management stated that it implemented a\nwww.epa.gov/oig/reports/2011/     new audit control process giving the Chief Information Officer monthly status\n20110623-11-P-0277.pdf\n                                  reports, and we removed the recommendation.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                              THE INSPECTOR GENERAL\n\n\n                                          June 23, 2011\n\nMEMORANDUM\n\nSUBJECT:\t EPA Has Taken Steps to Address Cyber Threats but\n          Key Actions Remain Incomplete\n          Report No. 11-P-0277\n\n\nFROM:\t         Arthur A. Elkins, Jr.\n               Inspector General\n\nTO:\t           Malcolm D. Jackson\n               Assistant Administrator for Environmental Information and\n               Chief Information Officer\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nThe estimated direct labor and travel costs for this report are $128,210.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates. Your response will be posted on the OIG\xe2\x80\x99s public website,\nalong with our memorandum commenting on your response. Your response should be provided\nas an Adobe PDF file that complies with the accessibility requirements of Section 508 of the\nRehabilitation Act of 1973, as amended. The final response should not contain data that you do\nnot want to be released to the public; if your response contains such data, you should identify the\ndata for redaction or removal. We have no objections to the further release of this report to the\npublic. We will post this report to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Rudolph M. Brevard,\nDirector, Information Resources Management Assessments, at (202) 566-0893 or\nbrevard.rudy@epa.gov; or Cheryl Reid, Project Manager, at (919) 541-2256 or\nreid.cheryl@epa.gov.\n\x0cEPA Has Taken Steps to Address Cyber Threats but                                                                               11-P-0277\nKey Actions Remain Incomplete\n\n\n                                      Table of Contents \n\n   Purpose........................................................................................................................    1\n\n\n   Background .................................................................................................................       1\n\n\n   Scope and Methodology.............................................................................................                 2\n\n\n   Increases in APTs Heighten Need to Improve Cyber Security ...............................                                          2\n\n\n   EPA\xe2\x80\x99s Plans for Combating Current Cyber Threat ..................................................                                  3\n\n\n   Audit Work Continues to Highlight Improvements Needed in \n\n   EPA\xe2\x80\x99s Information Security Practices.......................................................................                        4\n\n\n   Recommendations ......................................................................................................             7\n\n\n   Agency Response and OIG Comments ....................................................................                              8\n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                            9\n\n\n\n\nAppendices\n   A       Agency Response to Draft Report....................................................................                       10\n\n\n   B       Summaries of OIG Information Security Reports and Memorandum ..........                                                   13 \n\n\n   C       Open Recommendations ...................................................................................                  17 \n\n\n   D       Distribution .........................................................................................................    19\n\n\x0cPurpose\n                 We sought to highlight unimplemented actions the U.S. Environmental Protection\n                 Agency (EPA) should take to protect network resources from the increase of\n                 Advanced Persistent Threats (APTs) within the Agency.\n\nBackground\n                 An APT is a cybercrime1 designed to steal or modify information without\n                 detection. These attacks are targeted at organizations, businesses, and political\n                 entities. The attackers that carry them out are typically organized and well funded.\n                 Unlike other virus attacks that may be launched at thousands of random\n                 computers on the Internet, APT activities are tailored, using multiple attack\n                 methodologies and tools, for specific targets. After a target has been successfully\n                 attacked, the attacker maintains a foothold on the target for future exploits. In\n                 other words, after an organization fixes the initial vulnerability, the attacker will\n                 be able to persist in an automated and hidden mode, remaining on the network\n                 unbeknownst to the organization.\n\n                 In June 2010, the National Institute of Standards and Technology (NIST) reported\n                 that federal agencies must take steps in the five areas below to strengthen their\n                 risk management and information security governance practices to prepare for\n                 these attacks:\n\n                     1.\t Develop an organizational risk management and information security\n                         strategy.\n\n                     2.\t Integrate information security requirements into the organization\xe2\x80\x99s core\n                         missions and business processes, enterprise architecture, and system\n                         development life cycle processes.\n\n                     3.\t Allocate management, operational, and technical security controls to\n                         organizational information systems and environments of operation based\n                         on an enterprise security architecture.\n\n                     4.\t Implement a robust continuous monitoring program to understand the\n                         ongoing security state of organizational information systems.\n\n                     5.\t Develop a strategy and capability for the organization to operate while\n                         under attack, conducting critical missions and operations, if necessary, in a\n                         degraded or limited mode.\n\n\n\n\n1\n  Cybercrime refers to any crime that involves a computer and a network. The computer may have been used in the\ncommission of a crime, or it may be the target.\n\n\n11-P-0277                                                                                                    1\n\x0c            NIST reported that addressing APTs requires a major change in strategic thinking\n            to understand that this class of threat cannot always be kept outside of an agency\xe2\x80\x99s\n            defensive perimeters and most likely already resides on its networks. As such,\n            agencies need to employ methods to constrain the threats to ensure the resiliency\n            of their missions and business processes.\n\nScope and Methodology\n            We performed this audit from July 2010 through April 2011. We reviewed Office\n            of Inspector General (OIG) audit work and reports issued from fiscal years (FYs)\n            2008 through 2010, as well as cyber security issues identified during\n            investigations. We reviewed corrective action plans related to open audit\n            recommendations. We reviewed EPA\xe2\x80\x99s FY 2010 Agency Financial Report to\n            identify management\xe2\x80\x99s actions to address the OIG-identified top management\n            challenge regarding cyber security. We reviewed EPA\xe2\x80\x99s Management Audit\n            Tracking System to identify the current milestone dates management identified\n            for completing unimplemented audit recommendations.\n\n            Appendix A of this report contains a summary of several OIG audit and\n            evaluation reports and a memorandum assessing EPA\xe2\x80\x99s information technology\n            security. We used the analysis of these documents to develop multiple sections of\n            this report.\n\n            In December 2010, we provided the Agency a copy of our analysis. We included\n            the Agency\xe2\x80\x99s response to our analysis in the report where appropriate. We did not\n            evaluate assertions the Agency made in its response.\n\n            We conducted this audit in accordance with generally accepted government\n            auditing standards. Those standards require that we plan and perform the audit to\n            obtain sufficient and appropriate evidence to provide a reasonable basis for our\n            conclusions based on the objectives. We believe the evidence obtained provides a\n            reasonable basis for our conclusions.\n\nIncreases in APTs Heighten Need to Improve Cyber Security\n            Security articles have reported that APTs are an increasing presence throughout\n            the federal government. In addition, these articles indicated that U.S. government\n            websites, including those of the White House and State Department, have come\n            under broad cyber attacks since July 2009. They believe that a large-scale cyber\n            attack could be as devastating to the U.S. economy and infrastructure as a terrorist\n            bombing.\n\n            Four quarterly trend reports covering the period February 2010 through January\n            2011, issued by the EPA Computer Security Incident Response Capability\n            (CSIRC) center, highlight the need for the Agency to strengthen its ability to\n            respond to cyber threats. According to the reports, there was an average of\n\n\n11-P-0277                                                                                    2\n\x0c            565 security incidents per quarter. The two most frequent categories for incidents\n            were (1) unauthorized scans, probes, and attempted access, and (2) investigations\n            into users\xe2\x80\x99 reports of cyber attacks. EPA noted that the highest number of\n            incidents pertained to possible malicious code infections, a common attack\n            method used by APTs.\n\n            In addition to EPA\xe2\x80\x99s efforts to investigate user reports of cyber attacks, EPA has\n            identified a number of computers attempting to communicate with United States\n            Computer Emergency Readiness Team (US-CERT)-identified suspicious\n            domains. From\n            December 2009 to\n                                                  Figure 1: Average daily number of EPA\n            September 2010, EPA\n                                                  computers potentially compromised by APTs\n            reported that it \n\n            identified over 7,800 \n\n                                                 80\n\n            potentially\n            compromised computers                60\n\n            communicating on the \n\n                                                 40\n\n            Agency\xe2\x80\x99s network.\n                                                20\n            As shown in figure 1,               0\n            while EPA experienced\n                                                      12/16/09 3/16/10 to 6/16/10 to\n            a sharp increase in the                  to 3/15/10 6/15/10      9/15/10\n            number of potential\n            compromises during the              Source: OIG analysis.\n            first 90 days of this\n            period, the Agency\n            noted that the average\n            daily number has decreased over the last 180 days of this period.\n\nEPA\xe2\x80\x99s Plans for Combating Current Cyber Threat\n            In FY 2010, we identified EPA\xe2\x80\x99s limited capability to respond to cyber security\n            attacks as a key management challenge confronting the Agency. In EPA\xe2\x80\x99s\n            FY 2010 Agency Financial Report, EPA responded that it will continue to\n            manage the threat through Agency-wide vigilance and improved detection\n            capabilities. EPA responded that it had:\n\n                \xef\x82\xb7\t Affirmed a position to support continuous monitoring across the\n                   information technology infrastructure\n\n                \xef\x82\xb7\t Made investments to improve capability and increase visibility in its\n                   network\n\n                \xef\x82\xb7\t Raised awareness and vigilance across its information security officer\n                   community by providing training and placing a security track into its\n                   e-Learning portal\n\n\n11-P-0277                                                                                   3\n\x0c            EPA noted that it should enhance its information security officer training.\n            Further, EPA stated that it is using existing contracts to augment current\n            contractor staff and pursuing more contract support to focus on detecting APTs.\n\nAudit Work Continues to Highlight Improvements Needed in\nEPA\xe2\x80\x99s Information Security Practices\n            Our audit work and ongoing analysis continue to highlight how EPA\xe2\x80\x99s delays in\n            completing key audit recommendations hinder the Agency\xe2\x80\x99s ability to respond to\n            cyber security attacks. Open recommendations for which milestone dates have\n            passed are published semiannually in the OIG\xe2\x80\x99s Compendium of Unimplemented\n            Recommendations. EPA management extended milestone dates for open\n            recommendations that pertain to cyber security instead of completing corrective\n            actions. This practice has left EPA with sporadically implemented information\n            security practices, which thwart the Agency\xe2\x80\x99s ability to promote a focused,\n            multipronged approach in the NIST-recommended areas. Details on EPA with\n            respect to each of the NIST areas follow.\n\n            Organizational Information Security Strategy\n\n            Given the current threat environment, EPA should increase the effectiveness of its\n            key organizational information security strategies. In particular, we found limited\n            assurance that data in the Automated System Security Evaluation and\n            Remediation Tracking (ASSERT) tool are reliable. In addition, we concluded that\n            the CSIRC center lacks the skills and resources to promptly identify and\n            effectively remedy ongoing cyber threats.\n\n               \xef\x82\xb7\t ASSERT. Procedures for oversight and monitoring of self-reported data\n                  provide limited assurance that the data in the system are reliable for\n                  assessing EPA\xe2\x80\x99s computer security program. ASSERT is an online tool to\n                  gather information regarding testing and evaluating EPA\xe2\x80\x99s information\n                  systems. It also tracks progress toward fixing identified security\n                  weaknesses. We found that unsupported responses for self-reported\n                  information contributed to data quality problems. Limited independent\n                  reviews, a lack of training on assessing security controls, and limited\n                  internal reporting of these controls also affected data quality. Unreliable\n                  data in ASSERT make it difficult for management to know where\n                  vulnerabilities exist. Therefore, the system is not reliable for\n                  decisionmaking.\n\n               \xef\x82\xb7\t CSIRC. Limited followup activities and an overreliance on US-CERT\n                  lead us to conclude that the CSIRC center does not have the technical\n                  skills or resources needed to promptly identify and remedy ongoing cyber\n                  threats. The CSIRC center is EPA\xe2\x80\x99s Agency-wide approach to protecting\n                  information assets and responding to actual and potential incidents. EPA\n\n\n11-P-0277                                                                                   4\n\x0c                   has traditionally relied on US-CERT to identify external threats, develop\n                   technical solutions, and coordinate government-wide responses to cyber\n                   attacks. EPA had not taken steps to modify a contract to provide forensic\n                   tools and technical expertise to the CSIRC center until APTs rapidly\n                   infiltrated the Agency\xe2\x80\x99s network. At the time of this report, EPA had not\n                   put in place the new contract. This situation is further compounded by\n                   EPA\xe2\x80\x99s limited followup activities to investigate the extent to which\n                   reported incidents may have threatened and impacted Agency systems.\n                   Without these additional skills and resources at the CSIRC center to\n                   effectively fight cyber threats, the number of computers and workstations\n                   compromised by APTs may continue to rise.\n\n            To help ensure the reliability of self-reported data, the Agency stated that it would\n            implement a tool that will provide a platform to build and validate certification\n            and accreditation documentation for all Agency systems. EPA also stated that it is\n            providing the CSIRC center with an array of tools to combat APTs.\n\n            Integrated Information Security Requirements\n\n            EPA is not integrating information security into all of its business and mission\n            processes. In particular, EPA did not clearly define processes for contractor\n            oversight, follow key system development life cycle requirements, and ensure\n            managerial controls were in place over information security activities.\n\n               \xef\x82\xb7\t EPA\xe2\x80\x99s Contractor Oversight. EPA has not clearly defined monitoring\n                  duties and responsibilities for contractor oversight, and has not trained\n                  personnel to perform oversight. Because of the lack of training, personnel\n                  are not familiar with their duties and responsibilities regarding oversight\n                  of EPA-owned and contractor-operated systems. As such, these systems\n                  are at risk that APT activities may occur and go undetected. Undetected\n                  APTs can result in loss, destruction, theft, and misuse of sensitive\n                  proprietary information. EPA stated it has and will continue to conduct\n                  certification and accreditation workshops addressing the Agency\xe2\x80\x99s roles\n                  and responsibilities related to contractor oversight processes.\n\n               \xef\x82\xb7\t System Development Life Cycle Processes. EPA placed contractor\n                  equipment into production without a security plan. This plan is a key\n                  system development life cycle step and a federal requirement. Security\n                  planning assesses risks to EPA\xe2\x80\x99s network and is a key factor in\n                  management\xe2\x80\x99s decision to authorize the equipment for use. As such,\n                  management lacked the information it needed to protect the Agency\xe2\x80\x99s\n                  network from possible threats posed by the over 11,700 contractor\n                  computers placed into production.\n\n               \xef\x82\xb7\t Managerial Controls Over Information Security Activities. EPA\n                  personnel with significant security responsibilities continue to be unable to\n\n\n11-P-0277                                                                                      5\n\x0c                   show that they executed required information security tasks. In particular,\n                   offices lack evidence that testing of information systems security controls\n                   takes place as required by federal guidance. Also, the offices lack\n                   evidence that contingency plans are tested on an annual basis. Further,\n                   EPA lacks a practice to ensure that an authorizing official receives\n                   credible information to make risk-based decisions. EPA\xe2\x80\x99s business\n                   practice for implementing information security processes is to delegate\n                   these responsibilities to senior managers throughout the Agency. Stronger\n                   management controls are needed to help ensure that security activities are\n                   carried out as intended. These stronger controls would help EPA comply\n                   with requirements and avoid possible cyber security incidents.\n\n            Allocation of Controls Based on Enterprise Security Architecture\n\n            EPA has not clearly defined the Information Management segment of its current\n            Enterprise Transition Plan (ETP). The Information Management segment, which\n            addresses information security at an enterprise architecture level, is \xe2\x80\x9cNotional,\xe2\x80\x9d or\n            not in planning. The ETP describes EPA\xe2\x80\x99s overarching strategy for modernizing\n            the Agency\xe2\x80\x99s infrastructure to achieve its target architecture. The ETP does not\n            clearly define the actions it will take to achieve its security target architecture.\n            Given the rapid rise of APTs on EPA\xe2\x80\x99s network, the absence of a clearly defined\n            plan for implementing the Information Management segment shows a lack of\n            commitment on the part of the Agency to address information security from an\n            enterprise-wide perspective. Without this strategy, EPA executives may not be\n            able to make proper investment decisions regarding the necessary tools to combat\n            APTs with an Agency-wide approach.\n\n            The Agency stated that all of the new information security tools that it is putting\n            in place are designed to be implemented at an enterprise level.\n\n            Continuous Monitoring\n\n            EPA has not established an Agency-wide continuous network security monitoring\n            program to identify known vulnerabilities. In this regard, EPA has not completed\n            a key project that would provide its offices with the needed tools to implement an\n            Agency-wide approach for identifying known vulnerabilities. Since 2005, EPA\n            has tried to implement a commercial off-the-shelf network vulnerability tool. Yet,\n            more than 5 years later, EPA is still reviewing the vulnerability management tool.\n            This tool has the ability to identify and correct commonly known security\n            weaknesses. However, project delays have thwarted EPA\xe2\x80\x99s ability to move the\n            project beyond the pilot stage. Continuous monitoring is so important that NIST\n            mandated it as a required step for authorizing federal systems to operate.\n\n            We conducted 16 vulnerability tests at 14 locations over the past 3 fiscal years.\n            With the exception of one test, the results continued to show that EPA has\n            weaknesses in identifying known critical vulnerabilities. These results occurred\n\n\n\n11-P-0277                                                                                       6\n\x0c            even though US-CERT alert notices for the critical vulnerabilities identified in\n            our latest tests had been issued to the public from up to 6 months to more than\n            8 years prior to our network test. Therefore, the absence of an Agency-wide\n            continuous monitoring program to identify known vulnerabilities continues to\n            thwart EPA\xe2\x80\x99s ability to detect and correct these repeated threats throughout its\n            network.\n\n            Also, the absence of an Agency-wide process to identify known vulnerabilities\n            left EPA with over 11,700 unmonitored, contractor-owned computers. Without\n            monitoring, it could be possible for a hacker to gain unauthorized, undetected\n            access to the Agency\xe2\x80\x99s network through any of these computers. Lack of an\n            Agency-wide process hinders EPA\xe2\x80\x99s ability to protect the integrity and\n            availability of all Agency data. Given that these weaknesses continue to exist,\n            EPA should be more proactive in increasing oversight and monitoring throughout\n            the entire Agency.\n\n            EPA stated that it has acquired an Agency-wide vulnerability management tool\n            and is currently deploying it. The Agency also stated that this tool will provide\n            services such as power management, software deployment and inventory\n            management, patch management, network node discovery, vulnerability\n            management, and security configuration management.\n\n            Continuity of Operations\n\n            EPA has not set up the needed controls to ensure that it complies with NIST\n            guidelines and EPA policies for annual testing of contingency plans for continuity\n            of operations. Current EPA practices do not ensure that failed contingency tests\n            are addressed and all stakeholders are informed of test results in a timely manner.\n            Also, the lack of a contingency plan left EPA, for more than 1 year, without a\n            strategy for recovering the data stored on the over 11,700 contractor-owned\n            computers. Without thorough contingency planning, EPA cannot be sure whether\n            it has a properly designed cyber attack recovery strategy.\n\n            EPA stated it would implement a centralized database that will contain\n            contingency and disaster recovery plans for EPA systems.\n\nRecommendations\n            We recommend that the Assistant Administrator for Environmental Information\n            and Chief Information Officer:\n\n                1.\t Issue a memorandum to Office of Environmental Information executives\n                    stressing the importance of and expectation for completing audit\n                    recommendations by the agreed-upon milestone date.\n\n\n\n\n11-P-0277                                                                                       7\n\x0c                2.\t Strengthen management control processes for monitoring and completing\n                    all open and future audit recommendations by the agreed-upon milestone\n                    date.\n\n                3.\t Update the ETP Information Management segment to define actions the\n                    Agency plans to take to achieve its security target architecture.\n\nAgency Response and OIG Comments\n            Management stated that over the past 2 years, it made significant personnel and\n            monetary investments and took specific actions to address OIG audits and internal\n            assessments. EPA believes that some of these efforts were not fully accounted for\n            in the draft report. Prior to issuing the draft report, we provided the Agency with\n            the planned report contents and incorporated management\xe2\x80\x99s feedback into the\n            draft and final reports. As noted, management agreed with our report except the\n            recommendation to update its internal control practice to require Chief\n            Information Officer (CIO) approval of milestone date extensions. Management\n            stated that it implemented a new process to provide the CIO with monthly status\n            reports on all audits. After this process is fully implemented, we believe it should\n            provide the CIO better oversight of planned corrective actions. Therefore, we\n            updated the report. Management\xe2\x80\x99s complete response is in appendix A.\n\n\n\n\n11-P-0277                                                                                    8\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                   RECOMMENDATIONS                                                                BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed-To\n    No.      No.                         Subject                          Status1         Action Official              Date      Amount      Amount\n\n     1        7     Issue a memorandum to Office of Environmental           O        Assistant Administrator for\n                    Information executives stressing the importance of               Environmental Information\n                    and expectation for completing audit                            and Chief Information Officer\n                    recommendations by the agreed-upon milestone\n                    date.\n\n     2        8     Strengthen management control processes for             O        Assistant Administrator for\n                    monitoring and completing all open and future audit              Environmental Information\n                    recommendations by the agreed-upon milestone                    and Chief Information Officer\n                    date.\n\n     3        8     Update the ETP Information Management segment           O        Assistant Administrator for\n                    to define the actions the Agency plans to take to                Environmental Information\n                    achieve its security target architecture.                       and Chief Information Officer\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n11-P-0277                                                                                                                                          9\n\x0c                                                                                     Appendix A\n\n                   Agency Response to Draft Report\n                                  May 11, 2011 (date stamped)\n\nMEMORANDUM\n\nSUBJECT:       OEI Response to Draft Report: EPA Has Taken Steps to Address Cyber Threats\n               But Key Actions Remain Incomplete (OMS-FY10-0035)\n\nFrom:          Malcolm D. Jackson\n               Assistant Administrator and Chief Information Officer\n\nTo:            Patricia H. Hill\n               Assistant Inspector General for Mission Systems\n\n        The purpose of this memorandum is to provide a response to the subject draft report and\nprovide additional clarifications regarding the Office of Environmental Information\xe2\x80\x99s (OEI)\nactions in response to this and prior Office of Inspector General\xe2\x80\x99s (OIG) reports regarding the\nAgency\xe2\x80\x99s information security program.\n\n        OEI appreciates the OIG\xe2\x80\x99s desire to ensure that EPA\xe2\x80\x99s information and information\nsystems are secure and available to agency staff. These systems and the information within them\nare essential to the Agency\xe2\x80\x99s success. As the responsible office for information security in EPA,\nOEI takes very seriously the charge of ensuring proper controls are implemented and functioning\nproperly to minimize risks to personnel, the EPA\xe2\x80\x99s mission and the nation\xe2\x80\x99s interests.\n\n        Over the past two years, OEI has made significant personnel and monetary investments,\nas well as taken specific actions to address several weaknesses identified in OIG audits and\ninternal assessments. OEI believes that some of these efforts were not fully accounted for in this\ncurrent draft, which we feel address several of the concerns raised by the OIG in this and prior\nreports. My staff and I welcome the opportunity to sit with you and your staff to highlight these\nefforts and to demonstrate how our efforts have in fact addressed many of your concerns and\nstrengthened the Agency\xe2\x80\x99s overall information security posture.\n\n       Attached you will find OEI\xe2\x80\x99s detailed responses to your draft report. While OEI cannot\nagree with all of the statements in the draft report, we look forward to further discussing these\nrecommendations and draft findings to meet the shared desire of both of our organizations to\nensure the most robust information security program possible for EPA.\n\n       If you have any questions, please feel free to contact me or Robert McKinney, EPA\xe2\x80\x99s\nSenior Agency Information Security Officer.\n\n\n\n\n11-P-0277                                                                                       10\n\x0ccc:\nRenee Wynn, Acting Principal Deputy Assistant Administrator, OEI\nVaughn Noga, Director, Office of Technology Operations and Planning\nRobert F. McKinney Jr., Senior Agency Information Security Officer\n\n\n\n\n11-P-0277                                                             11\n\x0c   ATTACHMENT: OEI\xe2\x80\x99s Detailed Response to Draft Report: EPA Has Taken Steps to \n\n      Address Cyber Threats buy Key Actions Remain Incomplete (OMS-FY10-0035) \n\n\nThe following are OEI\xe2\x80\x99s responses to the four recommendations identified in the draft report:\n\n1. Issue a memorandum to Office of Environmental Information executives stressing the\nimportance of and expectation for completing audit recommendations by the agreed-upon\nmilestone date.\n\nOEI agrees with this recommendation and the AA/CIO will issue a memorandum. Just for\nclarification however, the AA/CIO has already made the audit program a priority on an ongoing\nbasis that stresses the importance of addressing findings effectively and expeditiously. The OEI\nAudit Coordinator provides the OEI AA and PDAA monthly status reports of all audits and OEI\nexecutives must provide updates to the OEI AA in Quarterly Business Reviews. OEI believes\nthat the memorandum, new business processes and this personal attention placed on the issue by\nthe AA/CIO should fully address this recommendation.\n\n2. Strengthen management control processes for monitoring and completing all open and\nfuture audit recommendations by the agreed-upon milestone date.\n\nOEI agrees with recommendation 2 and as stated above believes we have taken proactive steps to\nstrengthen the management control processes. OEI believes recommendation 2 has been\naddressed.\n\n3. Update the process to require the Chief Information Officer\xe2\x80\x99s documented approval to\nextend agreed-upon milestone dates.\n\nOEI respectfully disagrees with this recommendation, not in substance but as a matter of policy.\nThe controlling policy authority for audit follow up is found in EPA Manual 2750 CH2, EPA\xe2\x80\x99s\nAUDIT MANAGEMENT PROCESS, dated 12/1998. Unless the AA/CIO is the action official,\nOEI is unable to find a requirement that the AA be required to provide documented approval to\nmake modifications to milestones. OEI\xe2\x80\x99s position is that we, like any other AAship in the\nAgency, should follow the OIG\xe2\x80\x99s established procedures outlined in the Manual.\n\n4. Update the Enterprise Transition Plan (ETP) Information Management segment to\ndefine actions the Agency plans to take to achieve its security target architecture.\n\nOEI agrees with recommendation 4. The Agency\xe2\x80\x99s ETP was renamed EPA Modernization\nBlueprint in February 2011 and describes the overarching strategy for modernizing the Agency\xe2\x80\x99s\ninfrastructure and transition process in support of the business, as well as the specific IT projects\nand approach EPA will use to achieve its target architecture. As such, OEI plans to update the\nEPA Modernization Blueprint in February 2012 with specifics regarding the roadmap and the\nacquisition strategy that provides enhanced security capabilities for the Agency.\nOEI stands committed to working with your staff on completing the remaining open\nrecommendations found in Appendix B of this Draft Report.\n\n\n\n\n11-P-0277                                                                                         12\n\x0c                                                                                  Appendix B\n\n             Summaries of OIG Information Security \n\n                 Reports and Memorandum \n\n\nThe OIG has published several audit and evaluation reports and a memorandum assessing EPA\xe2\x80\x99s\ninformation technology security. Selections of these are summarized below. The complete\nreports and memorandum can be accessed at http://www.epa.gov/oig/rpts_docs.htm.\n\n OIG Technical Vulnerability Assessment Reports (FYs 2008\xe2\x80\x932010)\n\n\nThe OIG conducted testing at various locations to identify network vulnerabilities. If not\nresolved, vulnerabilities can expose EPA\xe2\x80\x99s assets to unauthorized access and potentially harm\nthe Agency\xe2\x80\x99s networks.\n\nThe testing, done as part of the Federal Information Security Management Act review, disclosed\nseveral high-risk and medium-risk vulnerabilities at the following EPA locations (the report\npublication number and date are in parentheses):\n\n   \xef\x82\xb7   Andrew W. Breidenbach Environmental Research Center, Cincinnati, Ohio (10-P-0210,\n       September 7, 2010)\n   \xef\x82\xb7   Erlanger Building, Erlanger, Kentucky (10-P-0211, September 7, 2010)\n   \xef\x82\xb7   Ronald Reagan Building, Washington, DC (10-P-0212, September 7, 2010)\n   \xef\x82\xb7   Region 4, Atlanta, Georgia (10-P-0213, September 7, 2010)\n   \xef\x82\xb7   Research Triangle Park Finance Center, Research Triangle Park, North Carolina\n       (09-P-0227, August 31, 2009)\n   \xef\x82\xb7   Great Lakes National Program Office, Chicago, Illinois (09-P-0185, June 30, 2009)\n   \xef\x82\xb7   National Computer Center, Research Triangle Park, North Carolina (09-P-0186,\n       June 30, 2009)\n   \xef\x82\xb7   Region 8, Denver, Colorado (09-P-0187, June 30, 2009)\n   \xef\x82\xb7   Potomac Yard Buildings, Arlington, Virginia (09-P-0188, June 30, 2009)\n   \xef\x82\xb7   1310 L Street Building, Washington, DC (09-P-0189, June 30, 2009)\n   \xef\x82\xb7   EPA Headquarters, Washington, DC (09-P-0097, February 23, 2009)\n   \xef\x82\xb7   Research Triangle Park Campus, Research Triangle Park, North Carolina (09-P-0055,\n       December 9, 2008)\n   \xef\x82\xb7   Las Vegas Finance Center, Las Vegas, Nevada (09-P-0054, December 9, 2008)\n   \xef\x82\xb7   Radiation and Indoor Environments National Laboratory, Las Vegas, Nevada\n       (09-P-0053, December 9, 2008)\n\n   \xef\x82\xb7   Region 9, San Francisco, California (09-P-0052, December 9, 2008) \n\n\n\n\n\n11-P-0277                                                                                       13\n\x0c    Improvements Needed in Key EPA Information System Security Practices\n    (10-P-0146, June 15, 2010)\n\n\nWilliams, Adley & Company, LLP (Williams Adley), a firm that the OIG contracted with to\nperform the review, found that EPA program offices lacked evidence that they planned and\nexecuted tests of information system security controls as required by federal requirements. In\naddition, Williams Adley found that contingency plans developed and maintained by program\noffices were not current and accurate, and the certification and accreditation process and review\nof security plans needed improvements. EPA also had two authoritative system inventories that\ndid not reconcile. Finally, EPA had contractor-owned and -operated systems in operation without\nproper oversight monitoring.\nP, Recommends\nWilliams Adley\xe2\x80\x99s recommendations to the Director of the Office of Technology Operations and\nPlanning included communicating and training EPA\xe2\x80\x99s information security community on testing\nand documenting information systems security controls. Williams Adley also recommended that\nthe Director enhance the quality assurance process to verify that self-assessments evaluate all\nrequired security controls.\n\n    Memorandum on EPA\xe2\x80\x99s Fiscal Year 2010 Management Challenges (May 11, 2010)\n\n\nEPA has a limited capacity to effectively respond to external network threats despite reports\nfrom security experts that APTs designed to steal or modify information without detection are\nbecoming more prevalent throughout the government. Our ongoing analysis shows that the\nAgency has not addressed the challenge of remediating escalating threats from cyber security\nattacks. To date, EPA has reported that over 5,000 servers and user workstations may have been\ncompromised as a result of recent cyber security attacks.2 These compromised systems extend to\nevery EPA regional office and headquarters. Moreover, ongoing work disclosed that EPA could\nnot identify the owners of approximately 10 percent of the Internet Protocol addresses that are\npotentially compromised due to an APT.\n\nEPA leadership must meet this challenge head-on by sufficiently funding the development of a\nreal capability to identify and investigate attacks against EPA\xe2\x80\x99s computer and network systems.\nMoreover, Congress should fully consider EPA\xe2\x80\x99s new budget proposals to ensure that the\nAgency has the fiscal capacity to tackle this challenge. EPA management cannot continue to rely\non a \xe2\x80\x9cpay as you go\xe2\x80\x9d mentality; rather, EPA needs an established budget for managing\ninformation technology infrastructure and security. Key leaders must understand the threats that\nexist to EPA\xe2\x80\x99s confidential business information and the importance of minimizing those risks.\nFurthermore, the Chief Information Officer and Office of Technology Operations and Planning\nleadership should carefully study and trust the classified intelligence materials provided to them\nregarding threats against government domains. The Agency should also develop a method to\n\n\n2\n  As of September 15, 2010, the number of servers and user workstations that may have been compromised had\nincreased to over 7,800.\n\n\n11-P-0277                                                                                                    14\n\x0cdisseminate sensitive information, including classified data, to senior leadership and technical\nstaff, especially when the network is reportedly (5,000 plus systems) compromised.\n\n Self-Reported Data Unreliable for Assessing EPA\xe2\x80\x99s Computer Security Program\n (10-P-0058, February 2, 2010)\n\n\nThe oversight and monitoring procedures for ASSERT provide limited assurance the data are\nreliable for assessing EPA\xe2\x80\x99s computer security program. As a result:\n\n   \xef\x82\xb7   Unsubstantiated responses for self-reported information contribute to data quality\n       problems.\n   \xef\x82\xb7   Limited independent reviews and lack of followup inhibit EPA\xe2\x80\x99s ability to identify and\n       correct data inaccuracies.\n   \xef\x82\xb7   Independent reviews lack coordination with certification and accreditation activities.\n   \xef\x82\xb7   Information security personnel believe they need more training on how to assess security\n       controls and feel pressure to answer system security questions in a positive manner.\n   \xef\x82\xb7   Limited internal reporting on required security controls and missing information in\n       security plans inhibit external reporting.\n\nFurther, incomplete security documentation raises concerns as to whether the ASSERT \n\napplication contractor is meeting federal requirements. \n\n\n Improved Security Planning Needed for the Customer Technology Solutions Project (10-P-0028,\n November 16, 2009)\n\n\nEPA lacks a process to routinely test Customer Technology Solutions (CTS) equipment for\nknown vulnerabilities and to correct identified threats. Further, EPA placed CTS equipment into\nproduction without fully assessing the risk the equipment poses to the Agency\xe2\x80\x99s network and\nauthorizing the equipment for operations. The Office of Management and Budget requires\nfederal agencies to create a security plan for each general support system and ensure the plan\ncomplies with guidance issued by NIST. Both vulnerability management and the preparation of\ncritical security documents such as the Security Plan and the Authorization to Operate are\nparamount to fulfilling this requirement. These weaknesses exist because EPA undertook an\naggressive schedule to install over 11,500 computers at 18 locations across the United States. As\nproblems occurred during installation, management focused its attention on addressing these\nissues in order to meet the deployment schedule milestone.\n\nGiven the widespread use of CTS equipment, thousands of information resources provide a\npath for potential unauthorized access to EPA\xe2\x80\x99s network. EPA lacks processes to identify\nthese threats or the capability to lessen their impact.\n\nOn November 9, 2009, management signed an authorization to operate for the CTS equipment\nand outlined key actions that needed to be completed.\n\nWe Recommend\n\n\n11-P-0277                                                                                          15\n\x0c Project Delays Prevent EPA from Implementing an Agency-wide Information Security\n Vulnerability Management Program (09-P-0240, September 21, 2009)\n\n\nEPA implemented 56 percent (15 of 27) of the information security audit recommendations we\nreviewed. EPA\xe2\x80\x99s lack of progress on four key audit recommendations we made in 2004 and\n2005 inhibits EPA from providing an Agency-wide process for security monitoring of its\ncomputer network. EPA has not established an Agency-wide network security monitoring\nprogram because EPA did not take alternative action when this project ran into significant\ndelays. By not performing this critical function, EPA management lacked information necessary\nto respond to known threats against EPA\xe2\x80\x99s network and to mitigate vulnerabilities before they\ncan be exploited.\n\nEPA offices do not regularly evaluate the effectiveness of actions taken to correct identified\ndeficiencies, as required by Office of Management and Budget Circular A-123. EPA is updating\nits audit management and oversight policies; we provided suggestions for strengthening them.\n\n\n\n\n11-P-0277                                                                                   16\n\x0c                                                                                                 Appendix C\n\n                                Open Recommendations\n\nBelow is a list of open audit recommendations, the implementation of which by the Office of\nEnvironmental Information would improve information security controls in Agency systems,\nprograms, processes, or procedures. These recommendations, when implemented, could help the\nAgency strengthen cyber security areas and respond to APTs. Moreover, it appears the Agency\nshould evaluate implementing these recommendations across the Agency (not just in locations\nlisted below).\n\nOIG open audit recommendations as of May 24, 2011\nSecurity Configuration and Monitoring of EPA\xe2\x80\x99s Remote Access Methods Need Improvement,\nReport No. 2005-P-00011\n\n                                                                                     Planned      Revised\n                                                                                    completion   completion\nOpen recommendation                                                                    date         date\nDevelop and implement a security-monitoring program that includes testing all       9/30/2005    6/30/2011\nservers, and require all system administrators to register their servers with the\nNational Technology Services Division and participate in the security-monitoring\nprogram.\nExpand the Agency's security-monitoring program to include using a variety of       9/30/2005    6/30/2011\nnetwork vulnerability scanning tools to monitor registered servers.\nEstablish and implement a process to ensure program and regional offices            9/30/2005    6/30/2011\nconduct regular security monitoring that includes vulnerability scanning.\n\nEPA Could Improve Processes for Managing Contracting Systems and Reporting Incidents,\nReport No. 2007-P-00007\n\n                                                                                     Planned      Revised\n                                                                                    completion   completion\nOpen recommendation                                                                    date         date\nDevelop and implement guidance that EPA offices can use to identify                 9/18/2008    9/15/2011\nappropriate contractor systems that contain EPA data.\n\nEPA Could Improve Controls Over Mainframe System Software, Report No. 2007-P-00008\n\n                                                                                     Planned      Revised\n                                                                                    completion   completion\nOpen recommendation                                                                    date         date\nComplete efforts to update the Office of Environmental Information (OEI)            9/18/2008    3/30/2013\nInformation Security Manual and the EPA Information Security Manual.\nSubsequent to finalizing the changes, ensure the manuals are (1) reviewed\ntimely by EPA management for adequacy, accuracy, and completeness; and\n(2) approved by EPA management in a timely manner.\n\n\n\n\n11-P-0277                                                                                                     17\n\x0cResults of Technical Network Vulnerability Assessment: EPA Headquarters, Report No. 09-P-0097\n\n                                                                                      Planned      Revised\n                                                                                     completion   completion\nOpen recommendation                                                                     date         date\nDevelop and implement procedures to periodically review the data within IP           12/31/2010   4/30/2011\nRegistry for accuracy and completeness. These procedures should include, but\nnot be limited to, documenting any findings, issuing correspondences to the\nresponsible Program Offices to resolve the findings and maintaining documents\nof all resolutions.\n\nProject Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability\nManagement Program, Report No. 09-P-0240\n\n                                                                                      Planned      Revised\n                                                                                     completion   completion\nOpen recommendation                                                                     date         date\nIssue an updated memorandum that: (a) reflects the current version of NIST           4/01/2011    8/30/2011\nSpecial Publication 800-53; (b) requires continuous scanning/remediation on at\nleast a monthly basis; (c) requires continuous scanning/remediation be\nperformed using two tools concurrently; and (d) specifies what tools and\nresources OEI can actually provide to help the applicable personnel fulfill these\nresponsibilities and what the applicable organization will have to obtain on their\nown to perform these responsibilities.\nSource: EPA OIG.\n\n\n\n\n11-P-0277                                                                                                      18\n\x0c                                                                                Appendix D\n\n                                    Distribution\nOffice of the Administrator\nAssistant Administrator for Environmental Information and Chief Information Officer\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nDirector, Office of Technology Operations and Planning, Office of Environmental\n       Information\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Affairs\nAssociate Administrator for External Affairs and Environmental Education\nAudit Followup Coordinator, Office of Environmental Information\n\n\n\n\n11-P-0277                                                                               19\n\x0c"